tls: check for custom fields logging

author Juliana Fajardini <jufajardini@gmail.com>

Wed, 16 Oct 2024 19:26:44 +0000 (12:26 -0700)

committer Juliana Fajardini <jufajardini@gmail.com>

Thu, 17 Oct 2024 02:49:57 +0000 (19:49 -0700)
author Juliana Fajardini <jufajardini@gmail.com>
Wed, 16 Oct 2024 19:26:44 +0000 (12:26 -0700)
committer Juliana Fajardini <jufajardini@gmail.com>
Thu, 17 Oct 2024 02:49:57 +0000 (19:49 -0700)
diff --git a/tests/tls/tls-eve-custom-fields/README.md b/tests/tls/tls-eve-custom-fields/README.md

new file mode 100644 (file)

index 0000000..133fabd
--- /dev/null
+++ b/tests/tls/tls-eve-custom-fields/README.md
@@ -0,0 +1,12 @@
+### Test
+
+Check that missing TLS custom fields are checked in test -- to test for
+JSON schema completion.
+
+### Pcap
+
+Reused from test `tls-store-02`.
+
+### Ticket
+
+https://redmine.openinfosecfoundation.org/issues/7287
diff --git a/tests/tls/tls-eve-custom-fields/suricata.yaml b/tests/tls/tls-eve-custom-fields/suricata.yaml

new file mode 100644 (file)

index 0000000..18ca853
--- /dev/null
+++ b/tests/tls/tls-eve-custom-fields/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - tls:
+            ja4: on
+            custom: [subject, issuer, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, subjectaltname, client, client_certificate, client_chain]
diff --git a/tests/tls/tls-eve-custom-fields/test.yaml b/tests/tls/tls-eve-custom-fields/test.yaml

new file mode 100644 (file)

index 0000000..84c5187
--- /dev/null
+++ b/tests/tls/tls-eve-custom-fields/test.yaml
@@ -0,0 +1,36 @@
+requires:
+    min-version: 8
+
+args:
+- -k none
+
+pcap: ../tls-store-02/tls-client-auth.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: tls
+        tls.subject: C=HU, ST=Budapest, L=Budapest, O=TLSClientAuthSampleServer, CN=SampleServer
+        tls.issuerdn: C=HU, ST=Budapest, L=Budapest, O=TLSClientAuthSampleCA, CN=SampleRoot
+        tls.subjectaltname[0]: localhost
+        tls.serial: 00:C7:D4:28:8B:80:E0:1E:25
+        tls.fingerprint: 06:39:f9:5d:fe:81:53:c4:9d:f0:ac:80:3e:2d:42:07:e8:96:de:09
+        tls.sni: localhost
+        tls.version: TLS 1.2
+        tls.notbefore: '2018-04-14T20:55:27'
+        tls.notafter: '2018-05-14T20:55:27'
+        tls.client.serial: 00:C7:D4:28:8B:80:E0:1E:27
+        tls.client.notbefore: '2018-04-14T20:55:27'
+        tls.client.notafter: '2018-05-14T20:55:27'
+  - filter:
+      count: 1
+      match:
+        event_type: tls
+        has-key: tls.certificate
+        has-key: tls.chain
+        has-key: tls.client.subject
+        has-key: tls.client.issuerdn
+        has-key: tls.client.fingerprint
+        has-key: tls.client.chain
+        has-key: tls.client.certificate
author	Juliana Fajardini <jufajardini@gmail.com>
	Wed, 16 Oct 2024 19:26:44 +0000 (12:26 -0700)
committer	Juliana Fajardini <jufajardini@gmail.com>
	Thu, 17 Oct 2024 02:49:57 +0000 (19:49 -0700)
tests/tls/tls-eve-custom-fields/README.md	[new file with mode: 0644]	patch \| blob
tests/tls/tls-eve-custom-fields/suricata.yaml	[new file with mode: 0644]	patch \| blob
tests/tls/tls-eve-custom-fields/test.yaml	[new file with mode: 0644]	patch \| blob